To protect software manufacturers' copyrights in software sold to the public, manufacturers commonly license software to the purchaser. Additionally, in many applications the purchaser has elected to pay only for certain features of software which must be selectively enabled by the manufacturer. An ongoing problem in the art is to prevent unlawful or unlicensed use of software; that is, the problem is to prevent software from being pirated and used on unauthorized hardware and/or otherwise authorized customers from actuating features for which the customer has not paid. Another ongoing problem is how to distribute electronically software while avoiding denial-of-service, man-in-the-middle and other forms of attack.
A number of methods have been developed to protect against unauthorized use of software and/or attacks.
In one method, a key is required to enable the software. This solution does not solve the copying problem because the key is normally printed on the packaging of the software, and anyone can install the software as many times as they wish, however illegal it may be.
In yet another method, a special piece of hardware or “dongle” is used. The dongle is a special piece of hardware that connects to the serial or parallel port of the computer. The software running on the computer sends a random number to the dongle. The dongle performs a secret computation (hereinafter a “feature-based computation result”) and returns a result. The software makes a like computation; if the two computations match, the software continues to run. To work satisfactorily, the response must include feature and version information. While protecting against attacks by hackers, the use of the dongle is cumbersome when it fails. In the event that the dongle fails, the system is down until a new dongle can be physically obtained on site. Also, once made the dongle is fixed. If it was used for feature activation, a new dongle is required for each additional feature that is purchased.
A further method is to freely distribute CD-ROM disks. When the CD-ROM is inserted into a computer, the computer automatically connects to a remote server via the Internet or a dial-up connection to receive a machine-specific key. Alternatively, the key is stored on the CD ROM. The key unlocks the software so that it can be utilized on that computer. The remote server can also obtain the necessary payment information from the computer user. This method does not function well for a certain types of software since it does not provide for the authorization to use different features of the same software application nor is it dependent on the version of the software being requested. In addition, it does not provide the necessary authorization of personnel to make such a request and fails to protect against attacks by hackers.
Another method requires the software, upon installation or first execution, to record serial number information (e.g., medium access control or MAC address) regarding predetermined hardware components of the computer system and/or a unique identifier generated from transient target computer state information, which is/are included in an electronic license. Using the information collected by the target computer, the licensing server generates and provides the license to the target computer. An ongoing problem is how to exchange the collected information and license in a secure manner.
Other methods are to distribute software and/or license information in encrypted form or via an encrypted session and/or to require the user to maintain a data connection with the vendor while using the licensed software. A problem arises, however, in distributing the encryption key in a secure manner. When the key is provided to the customer, the customer can provide the software to others along with the key, thereby permitting widespread piracy of the software. Requiring the user to upload potentially sensitive data to the vendor site introduces security concerns.
Another problem in software licensing is maintaining control of software in an enterprise environment. Numerous enterprise licensing methods are in use, including fixed licenses (which permit an application to execute only on certain designated computers) and floating licenses (which permit a certain number of applications to execute, at any one time, only on a limited number of computers). In the latter method, one common licensing scheme uses a fixed set of licenses controlled by a license server maintained by a vendor. The license information is maintained in a license database along with information regarding which applications are in use and how many units are still available. When an application is required, it commences running. Code embedded in the application initially requests a license or license validation from the server to facilitate the execution of the application. The server checks the license database and, when an appropriate number of licenses are available, grants the request. As requests are received and licenses granted, the relevant information is logged into a file to track usage of various applications. Because the computer, to execute, must contact the licensing server over an untrusted network, security remains a concern.
Another problem in software licensing is permitting licensing transactions through partially disabling firewall protection, thereby compromising the security of the local area network. Malicious code can be introduced by an attacker more easily through the compromised security gateway.
To address security concerns, quantum cryptography has been developed. Quantum cryptography is a form of cryptography that employs quantum properties of photons to exchange a random key over a public channel with perfect secrecy. Quantum cryptography has a number of cost and practical limitations.